e-edition eEdition Subscribe Log in
Wednesday, October 09, 2024
64.0°F

‘Credential Stuffing’ puts new spin on old tricks

by JASON KAMA
Community Outreach Specialist, BBB Northwest + Pacific | January 20, 2020 1:00 AM

Admit it. Most of us are guilty of using the same username and password on multiple accounts. It’s just so much easier to remember. But that one simple shortcut puts you at a much higher risk of getting hacked than ever before through a method called “credential stuffing.”

Here’s how it all started. These days, con-artists gain access to our passwords and usernames in lots of different ways. They target large databases containing thousands — sometimes millions — of records at a time. Those records show up for sale on the dark web and, voila, your info is up for grabs. But what is this dark web? The Federal Trade Commission explains the dark web as places on the internet not indexed by traditional search engines, so it operates beneath the radar. The dark web is the internet equivalent of the black market; it’s where criminals who are looking to sell consumer data and other illegal goods and information tend to congregate.

So what happens to your information if it ends up here? Scammers buy usernames and passwords in bulk, and then — using automated hacking software — they try these credentials on several different websites all at once. If you’ve ever wondered what those “pesky” CAPTCHA codes on login pages are for, you just got some insight. This method of trying username and password combos in different sites is called “credential stuffing.” You might be thinking to yourself, “OK, that’s smart, but how often does this work?” At the end of last year, there were reports of hackers credential stuffing to gain access to hundreds of thousands of Disney+ accounts. Once in, they could change passwords and lock users out of their accounts. These hacked accounts were turned around and sold online for as low as $3.

Credential stuffing affects many types of online accounts. According to Sharp Security, 90 percent of login attempts on retail websites are fraudulent, which, for the average consumer, can be mind-blowing when you think of how many accounts you have out there. So now it’s time to protect yourself.

Hackers rely on the fact that most people use repetitive usernames and passwords across multiple accounts. It’s critical to practice proper password safety, which means at least use different passwords for all your online accounts. Also, while it may be harder to remember, you should make your passwords long with a mix of letters, numbers and symbols. Also, if it is an option, always use two-factor verification, an extra layer of security that only allows access after performing multiple steps. Just a password will not suffice.

Here are some tips for making it easier to protect yourself from credential stuffing and break away from the “one password rules them all” mindset:

• Instead of using a single word, use a passphrase. Your phrase should be relatively long, around 20 characters, and include random words, numbers, and symbols. Something that you will be able to remember but others couldn’t come close to guessing, such as PurpleMilk #367JeepDog$. (I guess I should come up with a new one, now.)

• Avoid saving payment information on your online accounts. If you must, use one card for online shopping and make it a credit card. Credit cards have more federal and financial protections than a debit card and they aren’t a direct line to your cash.

• Delete old accounts: If you’re no longer going to use an account or service, delete the account altogether. These old accounts often go forgotten, but if it’s tied to a password you’re using elsewhere, hackers may be able to access it or even access new accounts using the old information.

• Be aware of emails stating someone is trying to access your account. These can be legitimate, and you’ll need to take action. But they can also be a phishing scam. Take an extra look at who is sending the email. What information do they include? Does anything look suspicious (logos, grammar, spelling)? Are they asking you to click a link or download an attachment?

• Consider a reputable password manager to store your information. These easy-to-access apps save all your password information and security question answers in case you ever forget. However, don’t forget to use a strong password to secure the information within your password manager.

• • •

If you have any questions or information about scams you have seen, please let us know, and we’d be happy to help! For more information on businesses, scams, and complaints, you can call 208-342-4649 or find us online at www.bbb.org.